ISE Network Access Security Policy Document - High/Low
Has anybody created the High and Low level designs for the NASP?
This is my first time and its always easier to have a template to work off of than to reinvent the wheel. An incomplete example is displayed below but I was hoping someone had a complete one of high and low.
Employee Authorization Rule Table of Contents for Employee Security Policy: I. Members pg. xxx II. Acceptable Use Policy pg. xxx III. Windows 7 Security Requirements pg. xxx 1. Approved AV Installed & Up-to-date pg. xxx a. Security checks pg. xxx b. Security rules pg. xxx IV. Network Access Permissions pg. xxx 1. VLAN Segmentation pg. xxx a. Noncompliant Posture VLAN pg. xxx b. Access VLAN Name/ID pg. xxx 2. Access Control List pg. xxx 3. SmartPort Macro pg. xxx 4. Security Group Tag number pg. xxx ... IV. Network Access Permissions 1. VLAN Segmentation – Yes a. Noncompliant Posture VLAN = quarantine-vlan/100 b. Access VLAN Name/ID = employees/10 2. Access Control List – Yes a. Compliant ACL = permit All IP b. Noncompliant ACL = 5 Permit TCP from any to “AUP web server” equaling 80 Description: Allow anyone to access the acceptable use policy link 64 Cisco ISE for BYOD and Secure Unified Access 10 Permit TCP from any to “Link based remediation resources” equaling 80 & 443 Description: Allow web traffic to the appropriate remediation resources 20 Permit TCP from any to “file based remediation” equaling 80 & 443 Description: Allow web traffic to the cam for remediation file distribution 30 Permit UDP from any to “dmz DNS Server” equaling DNS Description: Allow DNS only to the dmz dns server 40 Deny IP from any to any Description: Block everything else 3. SmartPort Macro – no 4. Security Group Tag number – 10
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...